Self-Signed Certificate and Outlook VSTO Add-in Silent Installation


As in my CRM 4.0 design and deployment project we are reaching the end part of testing deployment phase. the Outlook Add-in I made using VSTO 3.0 with ClickOnce deployment will finally need to be deployed to client side and it’s the time I am facing those digital signing stuffs as well as client machine silent installation without user interference. I’ll just leave a summary here of steps to achieve this for later reference.

Major Steps:

1. Using a existing digital signing Certificate or creating a self-signed Certificate.

2. Signing the VSTO ClickOnce manifests with the Certificate.

3. Deploy / Import the Certificate to the client PCs.

4. Using command prompt to install VSTO package silently.

Details as follows:

1. Using a existing digital signing Certificate or creating a self-signed Certificate.

if you are obtaining certificates from existing CA, you may need to obtain the private/public key pairs in order to build the .pfx keypair file.

I am going to use the self-signed certificate to deploy the solution in testing phase. so I’ll go the following steps.

I am referencing this post for most instructions: How to create your own code signing certificate and sign an ActiveX component in Windows. will dub a short instructions here for later reference.

a. Get OpenSSL.

b. Create Root CA Certificate.

        openssl genrsa -des3 -out ca.key 4096
        openssl req -new -x509 -days 365 -key ca.key -out ca.crt

c. Create Intermediate Server Certificate and signing with Root CA Certificate.

        openssl genrsa -des3 -out server.key 4096
        openssl req -new -key server.key -out server.csr
        openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

d. Create .pfx key pair for VSTO ClickOnce manifests AuthentiCode signing.

        openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt

e. Just in case, create the .snk public key file for later use.

        sn.exe -p exported.pfx exported.snk

f. You’ll now have the following certificate files:

        ca.key: Root CA private key file.
        ca.crt:
Root CA public key file.
        server.key:
Server Certificate private key file.
        server.csr:
Server Certificate public key file.
        server.crt:
Server Certificate public key file signed with Root CA key files.
        exported.pfx:
the Serve Certificate key pair file for code signing in Visual Studio 2008.
        exported.snk: optional public key .snk file containing server certificate for later use.

g. All you need to later steps are:

        ca.crt: Root CA public key file.
        server.crt:
Server Certificate public key file signed with Root CA key files.
        exported.pfx:
the Serve Certificate key pair file for code signing in Visual Studio 2008.

2. Signing the VSTO ClickOnce manifests with the Certificate.

using the exported.pfx file to setup VSTO ClickOnce Manifests signing. you can also signing the assembly with this keypair to create Strong Named assembly but it’s not necessary to make the silent install work.

3. Deploy / Import the Certificate to the client PCs.

Import those Certificates to every client PC either manually by:

a. Import ca.crt to client PC’s Certificate Store, inside "Trusted Root Certificate Authorities".
b. Import server.crt to client PC’s Certificate Store, inside "Intermediate Certification Authorities".
c. Import server.crt to client PC’s Certificate Store, inside "Trusted Publishers".

or you may also using AD to deploy the Root CA to client PCs. refering to this TechNet article for steps.

4. Install VSTO 3.0 pre-requisites before installing VSTO package.

by referencing this thread of posts, in order to install the VSTO package silently, instead of using the Visual Studio published setup.exe file, need to use the VSTOInstaller.exe with /Silent switch. and by using VSTOInstaller.exe, it won’t check the pre-requisites thus needs to install those first to every client PC.

a. .NET Framework 3.5 SP1

http://www.microsoft.com/downloads/details.aspx?familyid=ab99342f-5d1a-413d-8319-81da479ab0d7&displaylang=en

b. VSTO version 3.0 (x86)

http://www.microsoft.com/downloads/details.aspx?FamilyID=54eb3a5a-0e52-40f9-a2d1-eecd7a092dcb&displaylang=en

c. Office PIA 2007 package

when Visual Studio 2008 published office add-in package, there will be Office 2007 PIA installer at publish\Office2007PIARedist\o2007pia.msi for installation and deployment. locate the installer and install it.

4. Using command prompt to install VSTO package silently.

open a command prompt manually or using other auto-deployment ways with the following command to install the VSTO package, sliently without user interference:

c:\> "%commonprogramfiles%\microsoft shared\VSTO\9.0\VSTOInstaller.exe" /I "http://published.server/outlookaddin/OutlookAddin.vsto"/S

the command will return immediately thus you won’t know if the installation is succeeded or not. by checking the "Add/Remove Programs" in Control Panel you can see if your VSTO Add-in was installed or not. if it was not installed, remove the /S silent switch and run the VSTOInstaller again to see what’s wrong. if there is a warning dialog box appeared saying that you are going to install a component from an "unknown publisher", your client PC certificate import operations may get something wrong and you need to check or re-import them again. if everything was going well you should only run this command and will see the component installed via the control panel. no other user interference is needed.

5. VSTO ClickOnce AutoUpdate.

after .NET Framework 3.5 SP1 and VSTO 3.0, now the ClickOnce application have the ability to auto-update itself if new version is published to the server. thus for the first-time install, it’s possible to use AD logon script to check and install the VSTO package silently and for later updates, just refresh the server-side file to the latest version and next time when end-user opens Outlook (or other office applications), it will check the latest version from server and install itself if necessary.

FYI.

Comments (6)

  1. Just as a side note. I tried to install the certificates using the Certificate Manager (in System32) which failed me greatly but just double-clicking the server.csr and ca.csr files and installing the that way worked great.

    Thanks again!

  2. Followed the instructions and have my CA, server, and exported all ready. Verified through CERTMGR.MMC that it's all good AFAIK. Now, I am trying to use the exported file, or from the store, and I am having problems publishing with the exported PFX. I am getting the infamous error:

    An error occurred while signing: Failed to sign binReleaseapp.publish\setup.exe. SignTool Error: The signer's certificate is not valid for signing. SignTool Error: An error occurred while attempting to sign: binReleaseapp.publish\setup.exe

    CERTMGR.MMC shows the certificate to be valid. However VS2012 is claiming it is invalid. How do we create a certificate chain that is valid for VS2012? (or VS2010 I would imagine).

    My guess is that that VS2012 ClickOnce requires 1024 bits and exactly that. No more (i.e. 4096), no less, as in: blogs.technet.com/…/rsa-keys-under-1024-bits-are-blocked.aspx

  3. Well, I don't know what happened. I regenerated my certs, CA, server, and such. Imported these through CERTMGR.MMC like the steps say. Then I selected my cert from the PFX *FILE*, and now it builds. Strange. Anyhow, I am more confident of the steps and that it will work now. Thanks!

  4. Next question, for anyone watching: this works as long as you are publishing from within Visual Studio. I've actually got this setting up through a CI server (Jenkins specifically), and I get the following error(s) when the publish step occurs.

    VisualStudioForApplicationsBuild:

     Deleting file "binDebugDChem.Languages.Excel.AddIn.dll.manifest.pregam".

    C:Program Files (x86)MSBuildMicrosoftVisualStudiov11.0OfficeToolsMicrosoft.VisualStudio.Tools.Office.targets(264,9): error MSB3482: An error occurred while signing: A certificate chain could not be built to a trusted root authority. [C:SourceProjectsJenkinsworkspacedchem-languages-excel-addin-masterDChem.Seeker.Languages.AddInDChem.Seeker.Languages.AddIn.csproj]

  5. Followed this blog post: superuser.com/…/how-can-i-start-certmgr-msc-for-computer-account

    Basically, work through the MMC.EXE Certificates snap-in and run for the machine, not the current user (default for CERTMGR.MMC). Voila, the build works!

  6. Almas says:

    I have done all steps but during installation it still asks for confirmation "Publisher verified. Are you sure you want to install this customization?" so I cannot install it in silent mode. what to do? What would you advise? Visual studio 12.

    Can something be done from publishing settings?